I've an application that need to get list of groups for external network of Yammer. Until last time it's worked so:
/api/v1/oauth/tokens.json brought list of tokens\networks AND COOKIES: yamtrak_id=[id from yammer], _workfeed_session_id=[session id from yammer] during "Authorization Bearer [access_token]"
The permalink https://www.yammer.com/name_of_my_network/api/v1/groups.json with this cookies brought list of groups
Now, when I've signed up with Yammer and took new access token, then /api/v1/oauth/tokens.json respond without this cookies
But when I've used old access token, that was created since two months, /api/v1/oauth/tokens.json ** brings an answer with this cookies**
How to get list of groups without permalink or how to make "right" session that works with permalink?
Related
I managed to login with google plus, but after authenticating, I'm not sure which of the values is the unique value to authenticate the user.
After authenticating, I see a response with fields like:
access_token, code, id_token, but I'm not sure which to use?
access_token: you use this to make API calls as the user who has just signed in - e.g. to retrieve profile information. This is valid for 1 hour.
id_token: this is a special signed blob which contains the user id of the signed in user, and the client ID of you application, can be used to identify the user. This is valid for one hour also.
code: you can send this to a server to exchange for an access token (to allow the server to make calls). This is valid for a few minutes.
In general you will use the access token to retrieve the user's name and photo as a next step: https://developers.google.com/+/web/people/#retrieve_profile_information
I'm reading/learning about token based authentication and I'm understanding it to a degree but the following questions have arisen.
If you log into site A you are given a token, this token will expire 24 hours after creating it.
You also visit Site B which calls an API from site A that allows you to give site B access to your information stored on site A. At this point a token is passed to site B to use for 24 hours.
Is this the same token? (So if you logged into Site A via site B, 23hrs59mins after logging into site A directly you would only have a minutes access to your info through site B before needing a new token?)
If its not the same token and you store your token in a table which links it to the user would you have multiple tokens per user?
Is it wise to to generate your token(s) as a random uniquely generated code and store it in the database along with the users log in details or is it better to create a token which takes a combination of the log in details and encrypts it (if so, how do you change the token each time).
Is this the same token?
Well that depends on Site A. Using the same token would mean that Site B has access to everything that your login on Site A allows you to access. If this didn't seem appropriate, then Site A would generate a new token with a more limited access. In this case, there would be multiple tokens per user.
So if you logged into Site A via site B, 23hrs59mins after logging into site A directly you would only have a minutes access to your info through site B before needing a new token?
If it expires 24 hours after creation (which you mentioned), then yes. Often the expiry would be updated upon every access though, so this might renew it for another 24 hours.
Personally, I would (and have) generate token as a random uniquely generated code. I think either would work though, and I'm sure you can find lots of opinions out there, like
here or here.
I'm making a website for a football club. they have one google calender (and just one google account). on the website I'd like to have a list of upcoming events. So I've to access to Google Calendar via Google API. For Authorisation I've to use OAuth2. Is it possible to login with OAuth2 automatically so that the website visitors don't have login always via redirect (to google login site)? For example I make a the login via Java, instead of a user login? Because it's no so comfortable if every user of the website have to login, for just viewing the club calendar.
Not sure it is possible,
Important note concerning your design: if you login automatically to the club's account, it means that everyone that uses this website is logged in to Google Calendar on behalf of the club's user name. hence, everyone can CHANGE the calendar, delete events, etc.
Are you sure you want this to happen?
(you can set the login params to "read-only", but even then, it means that the club shows ALL his calendar to everyone. there is no privacy...)
I suggest that every user logins with his own creds, and the club's calendar can invite all registered users to his events....
Of course, you can do it, and even without giving the access to the visitor if you're doing this on the server side.
You need to do a initial step by hand.
After this step you get a refresh token, with this token you can regenerate the access token which you need to access to the calendar API, for instance to get the upcoming events.
You need to regenerate the access token if the previous access token is expired. In this case you also get an new refresh token. You need to save it, into a database or JSON file.
To get a refresh token you need to pass this options on authorization:
access_type: "offline"
approval_prompt: "force"
Without these options you only get an access token, no refresh token.
Here is the documentation: https://developers.google.com/accounts/docs/OAuth2WebServer#formingtheurl
And here a kind of tutorial: http://www.tqis.com/eloquency/googlecalendar.htm
I am working on a web app. Front-end only interacts with back-end through RESTful API(it's called SOA architecture), and back-end only sends data to front-end in JSON.
My question is:
1) is it the best practice to design the authorization through RESTful API? or it is best to check authorization (user-> role -> privilege) at back-end code?
e.g.: do we ask user /checkPrivilege/{...} every time before executing other API?
2) How it is usually to implement 3 plans with different features & UI in RESTful API?
e.g.: do we use api to limits 5 users for this plan? or we do it at back-end code?
This is an old question, but I'll answer this anyway just in case some looks it up.
The short answer is you do it through the backend. The URI you are requesting should not contain any information about the user. Any session/identifying data should be sent in HTTP Headers.
Your RESTful API is always going to be loaded through a front controller like index.php. This is where you will want to bootstrap an authorization tool to check every single page request for credentials before executing the rest of your code.
Those credentials, at a MINIMUM, should contain a unique authorization token for the user who is making the request, and this token needs to be sent in every request (again, I recommend via an HTTP header). Bonus points if you grant a temporary access token that will expire, so as to prevent unauthorized access at a later date.
But for simplicity, let's say you are just using a permanent unique token per user. You would then store this token along with all the other data about the user, that other data should include an account_id for the account that user is a part of.
So for each request you would:
grab the user token from the HTTP Header
Look up the user based on that token.
If the user is found, then use their account_id to look up the master account their personal account is associated with
If it matches, grant them access
But remember, your URL should never contain this information in anyway. RESTful URLs are stateless.
I am building a service in which users do not have to create an account to sign up, but use Google account as exactly does Stackoverflow.com
My Question is there is any unique information of an user in OAuth2 which never change, so I can use it as user id in my database.
After looking through Google OAuth2 API, I've ended up that all tokens are arbitrary every time session is established.
I would like to know how such sites as Stackoverflow extract the user information to sign up.
After getting the initial access token use the tokeninfo endpoint to get user_id.
https://www.googleapis.com/oauth2/v1/tokeninfo?access_token=" +
Uri.EscapeDataString(response.AccessToken))